Community Manager
Staff member
Agent Tesla is the name of a former keylogger turned full-on spyware that has been seen by security researchers from Zscaler used in live attacks against legitimate companies.

The attacks were in the form of spam email containing malicious Office files, which when opened asked the user to run a macro. If the user agreed, the Office doc would download and install the Agent Tesla malware.

All this spam came from a domain registered to look like the real domain of Diode Technologies, a legitimate consulting firm. Either Diode or its clients might have been the victims of a coordinate spear-phishing attack to compromise their computers and steal insider information.

Agent Tesla has been sold to crooks for the past two years
Based on YouTube videos found online, Agent Tesla has been around for at least two years, since 2014. Initially, this malware family was a simple keylogger that recorded user keystrokes and sent it back to the crook's server.

As time passed by, the group behind this malware started adding more features, and it is now more accurate to call this threat spyware, rather than a keylogger.

New Agent Tesla versions are coded in .NET and use a modular structure. The malware is available for sale online on the public Internet, and each buyer can decide which modules to deploy.

Agent Tesla's deadly features
Agent Tesla comes with the ability to take screenshots of the user's desktop, log keyboard keystrokes, log virtual keyboard keystrokes, steal clipboard data, take snapshots via the user's webcam, and automatically copy itself to USB drives in order to spread to other targets.

Furthermore, Agent Tesla can also dump passwords from applications such as Chrome, Opera, Yandex, Firefox, IE, SeaMonkey, Comodo, Chromium, DynDNS, Filezilla, FlashFXP, Outlook, Netscape, and others. Zscaler says that for this feature, Agent Tesla incorporates legitimate apps such as IEPasswordDump and MailPassView.

The spyware also includes anti-analysis tools that will automatically stop Agent Tesla execution when security software is detected or when the spyware detects that it's being executed from inside a virtual machine.

Agent Tesla can also uninstall itself when needed, or disable UAC, Taskmgr, CMD, Run, Control Panel, Regedit, SystemRestore, and other core Windows features.

Zscaler says it reported the squatted domain, and Diode Technologies had it taken down. Unfortunately, since crooks rent Agent Tesla for fees ranging from $9 to $30 per month, expect other threat groups to deploy it in future attacks. Below is an infographic took from Agent Tesla's website, detailing some of its capabilities.